key: cord-0714329-ri1bkq3p
authors: Das, Subrat; Siroky, Gregory P.; Lee, Shawn; Mehta, Davendra; Suri, Ranjit
title: Cybersecurity: the need for data and patient safety with cardiac implantable electronic devices
date: 2020-10-12
journal: Heart Rhythm
DOI: 10.1016/j.hrthm.2020.10.009
sha: 29583da3f5a9c859b0b3645a885378e07568b517
doc_id: 714329
cord_uid: ri1bkq3p

Remote monitoring (RM) of Cardiac Implantable Electronic devices (CIEDs) has become routine practice owing to the advances in biomedical engineering, the advent of interconnectivity between the devices through the internet, and the demonstrated improvement in patient outcomes, survival, and hospitalizations. However, this increased dependency on the Internet of Things (IoT) comes with its risks in the form of cybersecurity lapses and possible attacks. While there has not been a cyberattack leading to patient harm reported in literature to date, the threat is real and has been demonstrated in research laboratory scenarios and echoed in patient concerns. The CIED universe comprises a complex interplay of devices, connectivity protocols, and sensitive information flow between the devices and the central cloud server. Various manufacturers use proprietary software and black-boxed connectivity protocols which are susceptible to hacking. In this paper, we discuss the fundamentals of the CIED ecosystem, the potential security vulnerabilities, a historical overview of such vulnerabilities reported in literature, and recommendations regarding improving the security of the CIED ecosystem and patient safety.

Abstract: 23 Remote monitoring (RM) of Cardiac Implantable Electronic devices (CIEDs) has become routine 24 practice owing to the advances in biomedical engineering, the advent of interconnectivity 25 between the devices through the internet, and the demonstrated improvement in patient 26 outcomes, survival, and hospitalizations. However, this increased dependency on the Internet 27 of Things (IoT) comes with its risks in the form of cybersecurity lapses and possible attacks. 28 While there has not been a cyberattack leading to patient harm reported in literature to date, 29 the threat is real and has been demonstrated in research laboratory scenarios and echoed in 30 patient concerns. The CIED universe comprises a complex interplay of devices, connectivity 31 protocols, and sensitive information flow between the devices and the central cloud server. 32 Various manufacturers use proprietary software and black-boxed connectivity protocols which 33 are susceptible to hacking. In this paper, we discuss the fundamentals of the CIED ecosystem, 34 the potential security vulnerabilities, a historical overview of such vulnerabilities reported in 35 literature, and recommendations regarding improving the security of the CIED ecosystem and 36 patient safety. 37 Introduction: 41 Technological advances in microprocessors, high density battery designs, and biomedical 42 engineering in the last two decades have brought major changes in the way we monitor and 43 treat patients. These effects have mostly been felt in the field of cardiology, specifically in the 44 realm of Cardiac Implantable Electronic Devices (CIEDs), which include two broad categories, 45 permanent pacemakers (PPM) and implantable cardioverter defibrillators (ICD). PPM and ICD 46 differ in the programming and functionalities, but at the heart of the technology is a 47 programmable platform, a Lithium-ion or other type of battery, a capacitor, and a pulse 48 generator. With the advent of the Internet of Things (IoT) these devices can be used to 49 remotely monitor patients through cloud-based servers that provide data to the physician or 50 health care team (Figure 1 ). 51 It has been shown in several studies that remote monitoring (RM) of these devices improves 52 patient outcomes, survival and hospitalizations, and is being recommended as standard of care 53 in multiple consensus statements and guidelines published by the Heart Rhythm Society (HRS). 54 1, 2 . In view of this and the demonstrated reduction of in-person visits, the burden on physicians 55 and clinics, and established reimbursement for remote services, there has been an increasing 56 adoption of RM into medical practice. The increased dependence on IoT, however, comes with 57 its risks in the form of cybersecurity lapses and possible attacks. There have been multiple 58 instances of such theoretical breaches being reported by cybersecurity experts and the Food 59 and Drug Administration (FDA), as will be described in a later section of this manuscript. While 60 there has not been a cyberattack leading to patient harm reported in the literature to date, the 61 threat is real as has been demonstrated in research-laboratory scenarios. On a more fictional 62 J o u r n a l P r e -p r o o f domain, Homeland, the popular TV show, depicts the assassination of the Vice President of the 63 United States by a terrorist remotely hacking into the victim's pacemaker. This may also have 64 been a concern in 2007 when doctors replaced then Vice President Dick Cheney's implantable 65 defibrillator and asked the manufacturer to disable the remote monitoring feature, hoping to 66 keep would-be hackers out. 3

In this paper we discuss the basics of the CIED ecosystem, the potential targets for attack, the 68 reported events of such vulnerabilities in the literature including the mitigation strategies 69 involved, and the recommendations regarding improving the overall security of the CIED 70 ecosystem to improve patient safety.

The CIED universe 72 The CIED ecosystem is comprised of the implantable device, an external programmer (used in 73 the physician's office to interrogate and program said implanted device), a home monitor 74 (receives transmission from the implantable device and sends it through the internet to the 75 cloud server), the cloud server, and proprietary software/ hardware used by the physician's 76 office to access patient data. The flow of data and information between these devices occurs 77 via various open source and proprietary protocols that can be exploited. 78 Detailed hardware and software architecture of CIEDs are hard to obtain for this manuscript 79 due to the proprietary nature of such devices, but a basic understanding of such devices can be 80 formulated based on information gathered from patent documents and reverse engineering 81 efforts of cybersecurity experts. A CIED is comprised of four essential components: 82 J o u r n a l P r e -p r o o f a) Microprocessor-coordinates the activities between the various components of the 83 device and can be imagined as the 'brain' of the device. 84 b) Memory-comprises read-only memory (ROM) and random-access memory (RAM). The 85 ROM contains low-level executable data, also known as firmware. The RAM contains 86 device information, patient recordings, and treatment algorithms. The data collected by the home monitor and the external programmer are transmitted to the 105 cloud server and is further relayed to the physician's office over the Internet using Virtual 106 Private Networks (VPNs). This contains sensitive patient and device data, various triggering 107 events, and physician/ medical team information. Unfortunately, at all stages of this flow of 108 information there is a threat of it being hacked. 7 Per present guidelines, the CIED cannot 109 directly interact with or download firmware from the cloud server. The same is accomplished 110 through the external programmer at the physician office using RF or ICT. However, the RF 111 transmission can be intercepted using a software defined radio (SDR) and one can peek into 112 sensitive data or put malware into the implanted device during the firmware update. Hacking is defined as activities that are intended to compromise digital services including 120 computers, IOT devices or whole networks. 8 Though there has never been a documented 121 cyberattack that has led to patient harm, there are multiple avenues through which it can be 122 carried out. (Table 1) Moreover, the device manufacturers should be more forthcoming with responses to security 265 concerns raised by independent security experts and work with them to solve the issue 266 together. A more robust collaboration effort across CIED vendors is required to jointly develop 267 standards that improve and promote "herd immunity". 268 Another area of concern is the minimal accountability of the supply and use of programmers. As programmer which is being reported as lost should be deactivated by the manufacturer from its 277 central server. Also, it should be mandatory for the programmers to have booting password and verification from the manufacturer's server before it can initiate any telemetry session. 279 These steps will ensure that the programmers are being operated by authorized users. 280 Telemetry sessions initiated during office visits should also be timed and auto-terminate post 281 the specified time. This will ensure there are no indefinite telemetry sessions running between 282 the implantable device and the programmer which is an easy target for snooping using SDR. 283 The current philosophy of "security through obscurity" followed by the device manufacturers 

Striking the right balance when addressing 407 cybersecurity vulnerabilities

HRS Expert Consensus Statement on remote interrogation 409 and monitoring for cardiovascular implantable electronic devices. Heart rhythm

Hacked medical devices could wreak havoc on health systems

Medical implant communications service (mics) federal register, Rules 413 Reg 64 (1999) 69926{69934. Accessed

Frequency agile telemetry system for implantable medical device

Security and privacy qualities of medical devices: an 417 analysis of FDA postmarket surveillance

An overview of the security of cardiac implantable electronic 419 devices

Advisory ICSMA-17-241-01) abbott laboratories accent/anthem, accent mri, 422 assurity/allure, and assurity mri pacemaker vulnerabilities

Defending resource depletion attacks on implantable medical devices

430 Accessed. 431 14. LLC MW. MW is short St

Cardiac devices and cyber attacks: How far are they real? How to 433 overcome?

Cybersecurity vulnerabilities 435 of cardiac implantable electronic devices: Communication strategies for clinicians-Proceedings 436 of the Heart Rhythm Society's Leadership Summit

Hack causes pacemakers to deliver life-threatening shocks. Ars Technica

Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac 440 Devices, Programmers, and Home Monitors: FDA Safety Communication. FDA. 2020

Security of implantable medical devices with wireless connections: The 442 dangers of cyber-attacks

Longevity Estimator Software Error for Subset of Medtronic CIEDs | Heart Rhythm Society

Cybersecurity and medical devices: a practical guide 445 for cardiac electrophysiologists

HRS White Paper on interoperability of data from 447 cardiac implantable electronic devices (CIEDs)

Pacemaker Cybersecurity: Local Experience With a 449 Firmware Upgrade

Remote 451 monitoring of cardiac implantable electronic devices in Europe: results of the European Heart 452 Rhythm Association survey

Remote monitoring of cardiac implanted 454 electronic devices: legal requirements and ethical principles -ESC Regulatory Affairs 455

Committee/EHRA joint task force report. Europace. 2020

Executive Summary: Evolution of Health Data Regulation. Medium. 2019. 457 28. Meeting Medical Device Data Privacy, Governance, and Security Challenges